Your message dated Sat, 01 Feb 2014 19:17:43 +0000
with message-id <[email protected]>
and subject line Bug#736359: fixed in localepurge 0.6.2+nmu1+squeeze1
has caused the Debian Bug report #736359,
regarding localepurge: CVE-2014-1638: tmp file vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
736359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: localepurge
Version: 0.6.2+nmu1
Severity: important
Tags: security
Hi Niels,
the maintainer scripts of localepurge contain a funny tmp file
vulnerability:
$ grep tempfile -r .
./debian/postrm: DEBREINSTALL="$(tempfile).$$"
./debian/localepurge.config:TEMPFILE=$(tempfile).$$
./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen
$
All of them are doing it wrong. They create a secure tempfile, but don't
use it and instead generate a (now) predictable(!) name without opening
it in a safe (O_CREAT) way.
Helmut
--- End Message ---
--- Begin Message ---
Source: localepurge
Source-Version: 0.6.2+nmu1+squeeze1
We believe that the bug you reported is fixed in the latest version of
localepurge, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <[email protected]> (supplier of updated localepurge package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 31 Jan 2014 18:44:30 +0100
Source: localepurge
Binary: localepurge
Architecture: source all
Version: 0.6.2+nmu1+squeeze1
Distribution: squeeze
Urgency: medium
Maintainer: Paul Seelig <[email protected]>
Changed-By: Niels Thykier <[email protected]>
Description:
localepurge - Reclaim disk space removing unneeded localizations
Closes: 736359
Changes:
localepurge (0.6.2+nmu1+squeeze1) squeeze; urgency=medium
.
* [CVE-2014-1638] Create tempfiles in a safe manner using
mktemp. Thanks to Helmut Grohne for reporting the
issue and helping with the patch. (Closes: #736359)
* Remove the creation of /var/tmp/reinstall_debs.sh during
postrm.
Checksums-Sha1:
6893bfb1d25914ee13657a01cb630ee22a12351a 1403
localepurge_0.6.2+nmu1+squeeze1.dsc
7134f9367fda2c9bb0504e2f42a39f70f2d23599 45512
localepurge_0.6.2+nmu1+squeeze1.tar.gz
4bda33bee90aba0414fc75e2634edeeaca976254 43242
localepurge_0.6.2+nmu1+squeeze1_all.deb
Checksums-Sha256:
68b59d328a7e037dfde2a7ca5d3fde1bf6effe596a04e55b4630669e6d2bac1a 1403
localepurge_0.6.2+nmu1+squeeze1.dsc
6b110ce5ec06a7f815a46b7a1c471080db9c2953658c1fd928d9227eb1a96711 45512
localepurge_0.6.2+nmu1+squeeze1.tar.gz
f38f832fb588edbc52f717cdf872e05b042f70c50b49b7f8bcf458935d73b9d0 43242
localepurge_0.6.2+nmu1+squeeze1_all.deb
Files:
7424db093fb9b862a0a998ba95c867e3 1403 admin optional
localepurge_0.6.2+nmu1+squeeze1.dsc
bb8c4a98b40c7420e579793fa8cd76da 45512 admin optional
localepurge_0.6.2+nmu1+squeeze1.tar.gz
3fb7ec732864f1b64dfe23185cf5e9f6 43242 admin optional
localepurge_0.6.2+nmu1+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJS7BQMAAoJEAVLu599gGRCFIEP/isTfIf1ictt7mJDENFxnr08
4PLMQEO9UDLvelXGQ9sYheqjYjkKCcinF6y4K63L3slnsP1XSVJ1qAI9OqlZc2Vz
2LBM1wcuUEspnRPV5Y7Pg/76ojn2SVNRGvLv7tF6wXsGXijH2u+utlYYWb+3TZou
OHAy/rlFo7BUj2VWYMmdDA1PNj8nemH0/qgjR1/UHtAbqJZehV7keh0JV36+qxOr
ycx1NS6j4xnLk2/BUjZo5Qs+lBOUSN0JhEonpveV6j00NO9TQbcQE7r0TeOQ0jHH
I5Qwf45U7us4/iFZB4f1/LvhoRhUjTl0NLx7xpXy7iPPeru3hkklOt9+vEPx27yW
S4WBXYb5RLDlRNJoo1Fpdrs0Gje1TBrFoOCAnPgJnhDduAQ+cwf7T/CcxwV/x17x
kCEpWxCdIcKr83eRf9buPttwgf7gDtwD/9rwbwWTgw307XVpeJsLtdmhKivRH3I+
C1VsrA6W47P3oKjJAr24y9U8b3sneoR+eQlgzTZdzUY9tHGYkTwS+dHgDGglA+6K
OAO2iUkgoLeKf1sY+HvwqhH9OI1drySIWHCDaLyWzIo7tb+JcDbCIWd9oxSU5FF+
LfR8d5m7Jj+yXTPmUDzTn3U642/LbAZrDG2I/JQMMvCdv2yNZLqZKVI6OPiFwU7g
SHQuwVjohVkaE1aPHeLf
=x/K4
-----END PGP SIGNATURE-----
--- End Message ---
